Attackers are exploiting a critical flaw (CVE-2026-0625) in old D-Link DSL routers that allows remote command execution.
Threat actors are actively exploiting a critical RCE flaw, tracked as CVE-2026-0625 (CVSS score of 9.3), in legacy D-Link DSL routers. The vulnerability is an improper neutralization of special elements used in an OS Command (‘OS Command Injection’), and is caused by command injection in the dnscfg.cgi endpoint due to improper input sanitization.
“Multiple D-Link DSL gateway devices contain a command injection vulnerability in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS configuration parameters. An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution.” reported cybersecurity firm VulnCheck. “The affected endpoint is also associated with unauthenticated DNS modification (“DNSChanger”) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019.”
Shadowserver researchers detected active exploitation on November 27, 2025. Experts have highlighted that the affected devices reached end-of-life status as early as 2020.
D-Link launched an internal probe after VulnCheck’s December 16, 2025 report of active exploitation and is reviewing affected models, with an updated list due soon.
“On December 16, 2025, VulnCheck (https://www.vulncheck.com/) reported active exploitation of a compromised CGI library observed in certain D-Link devices. D-Link initiated an internal investigation immediately and is tracing historical and current use of this CGI library across all applicable product offerings.” reads D-Link’s advisory. “Both D-Link and VulnCheck face complexity in precisely identifying all impacted models due to variations in firmware implementations and product generations. D-Link continues a detailed firmware-level review to determine affected devices. An updated list of specific models and, where applicable, firmware versions under review will be published later this week.
VulnCheck reported this issue after observing exploitation activity in live environments. Current analysis shows no reliable model number detection method beyond direct firmware inspection. For this reason, D-Link is validating firmware builds across legacy and supported platforms as part of the investigation.”
Below is the list of impacted models:
The attackers and scale of the hacking campaigns targeting the vulnerable devices remain unknown, but since the flaw affects obsolete DSL routers, users should replace them and upgrade to supported devices with security updates.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
Source: SecurityAffairs
Source Link: https://securityaffairs.com/186616/hacking/hackers-actively-exploit-critical-rce-flaw-in-legacy-d-link-dsl-routers.html